No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

In Search of the Rosetta Stone: Why Simplifying Cybersecurity is Essential for Mutual Fund Boards

How to Bridge the Gap Between Technologists and Boards of Directors

by James Pappas and Askari Foy
June 27, 2019
in Cybersecurity, Featured, Financial Services
concept of confusion or misunderstanding, jumbled line between two businessmen

Cybersecurity is one of the most daunting responsibilities mutual fund boards must confront, and so few on the board are well-versed in it. ACA Compliance Group’s James Pappas and Askari Foy discuss what’s needed to ensure the board understands the threats the organization faces.

Imagine if you were tasked with understanding an element of your job outside of your job description, and that understanding this element, if not done correctly, may result in dramatic losses and/or reputational risk for your organization.

But in the age of cybercrime, where financial services organizations are the second-most likely sector at risk for a cyberattack, cybersecurity has to be top of mind for each employee in the organization, from entry-level staff to senior management. Moreover, for mutual fund boards of directors, cybersecurity is a daunting task and one with many oversight responsibilities.

The SEC has made it clear by delineating cybersecurity as a top priority that it is a crucial element of board oversight, currently on its third cyber sweep in the last six years. But that’s easier said than done. Most mutual funds boards of directors meet only four to six times per year and are sometimes comprised of retired mavens of industry with numerous other roles and responsibilities. Directors who sit on multiple boards and engage in their own pursuits often have limited time to dedicate to understanding this element of their oversight role.

Fund boards wrestle with identifying how to effectively include cybersecurity in their oversight responsibilities. Cybersecurity is highly technical, rapidly evolving, requires continuous vigilance and demands significant ongoing resources. And while solutions are expensive, failures in this area are far more costly. Like other oversight roles, directors are charged with exercising their business judgment in oversight, not management.

Mutual fund boards of directors are tasked with understanding the threats, defenses, tools, infrastructure, human capital and monetary costs of cybersecurity, but they can only do so when given the proper tools. When technologists, even at the C-suite level, present to the board on the state of cybersecurity for their fund, more often than not, they’re speaking a completely different language – one that boards of directors struggle to understand.

In an age where not just financial institutions, but also regulators themselves have invested significant cost in understanding and adopting cybersecurity technology, both sides have become far more sophisticated. The SEC’s information request list has become far more detailed, and thus necessitates more detailed responses during exams. As the SEC has continued to stress cybersecurity, boards of directors stress as well.

In order for mutual fund boards of directors to properly do their jobs, the relatively few and far between meetings must be conducted in an efficient manner that results in a shared understanding for both parties and the tackling of business-critical risks. A framework for oversight can bridge the gap between technologists and boards of directors, creating a “Rosetta Stone” for the mutual understanding and appreciation for the policies and procedures in place to address cybersecurity.

Technologists have a tendency to believe that the more detailed and quantitative they can be in presentations to boards of directors, the better. But that tendency can be counterproductive, as what boards of directors need, beyond anything, is an understanding of the critical elements to business risk when it comes to cybersecurity. An effective conversation on cybersecurity between the mutual fund board of directors and the service provider takes planning, dialogue, pushing and compromising. At the conclusion of an effective meeting, the following questions should have been answered:

  • How is that to be done to the satisfaction of all parties concerned?
  • What are the topics, presentations and proof statements that address that business risk?
  • What will be the structure of the long-term oversight?
  • What ongoing governance and fund compliance processes does cybersecurity fit into?

For example, a director may have a question around how many times the firewall has been breached. But a more effective question is, “how sophisticated are these attacks?” and “what have we done about understanding this and protecting against that?” Turning the question into a qualitative discussion addressing the business risks at the root of the problem is far more effective than understanding the amount of times a cyber event has occurred.

Patches are another top-line, yet confusing item discussed during board meetings. There is often a misunderstanding by the board around the role of patches. Though it’s of course important to have patches in place, directors do not realize that if they start to pile up and go unaddressed, this can lead to cyber vulnerability. Cybersecurity meetings are also typically the time where boards of directors review their third-party software vendors and assess performance – also an area where a lack of shared language can cause a disconnect, as third-party risk has become a top underlying cause of cyber breaches.

A board meeting on cybersecurity can be likened to a homeowner purchasing a house. As a prospective buyer gets closer to closing the deal, they have more in-depth and probing questions about specific details, including the state the house is in, and other smaller concerns begin to arise. While prospective homeowners may not feel comfortable asking all the questions that come to mind, the most astute homebuyers make sure they do before making what is often the biggest purchase of their lives.

Similarly, boards of directors evade asking questions related to cybersecurity, as they feel they do not have the domain expertise to do so and fear they do not even know the questions to ask. But management and the board share a fiduciary interest in a functional security program. If a “Rosetta Stone” is built to bridge the gap in understanding and expertise, directors will walk away form a cyber meeting able to exercise informed business judgment and do right by their stakeholders.


Tags: Board of Directors
Previous Post

How the EU Whistleblower Directive Can Help Enhance a Culture of Integrity

Next Post

Waterline Data Unveils Newest Enterprise Data Catalog for Faster Discovery of Sensitive Data

James Pappas and Askari Foy

James Pappas and Askari Foy

James Pappas is Managing Director of ACA Compliance Group. James has a history of leadership responsibilities as CEO and COO with experience in guiding business initiatives, identifying market opportunities, building investment product lines, leading staffing and executing profitable business initiatives, including the launch of a successful investment marketing startup. James has directed internal functions, including product development, investment operations, finance, legal, compliance and shareholder servicing. He held responsibility for external client management of Board of Trustees of investment products aggregating $80 billion in a complicated regulatory environment and sale of the company and also providing enterprisewide operational risk management assessment and oversight. James has served as a director of a family of public mutual funds, trustee of a large university foundation investment committee and chair of its audit and governance committee and risk management committee.
Askari Foy (MBA, CPA, CFE) is Head of the Global Regulatory Cybersecurity Practice at ACA Compliance Group. Askari has over 20 years of experience in the public and private sectors, including senior leadership positions. His specialties are executive leadership, business strategy, finance, corporate governance, enterprise risk management, regulatory compliance, financial statement analysis, information security and investment products and operations. Askari’s experiences include investment advisers, mutual funds, hedge funds, fund of funds, private equity funds, broker-dealers, transfer agents, national securities exchanges, clearing agencies, automated trading systems and banking institutions. He is an innovative, influential and successful leader committed to empowering others, implementing innovative strategies, building alliances and attaining organization goals.

Related Posts

boards

Moving on Up? Before Reaching for a Board Seat, Make Sure You Understand Public-Private Nuances

by David Roberson
March 28, 2023

Compliance is a huge part of the job description for any member of the board of directors, so it’s no...

tech fluency_n

Not Your Grandpa’s C-Suite: Improving Tech Fluency at the Top of the Organization

by Jim DeLoach
January 18, 2023

In our hyper-connected world, just about every company is a tech company. As commerce and technology become increasingly intertwined, it’s...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

board personalities

Arsonists, Long Rangers & the Impact of Personality Types on Board Governance

by Rob Kunzler
December 14, 2022

It’s easy to think of your company’s board of directors as simply a group of individuals. But OnBoard’s Rob Kunzler...

Next Post
hand turning dial on a safe

Waterline Data Unveils Newest Enterprise Data Catalog for Faster Discovery of Sensitive Data

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT